Heads up: Brute force attacks on the rise recently

Michael Cronenworth mike at cchtml.com
Wed Oct 28 23:03:29 UTC 2009


It seems in the past month brute force attacks are on the rise. They are
targeting anyone listening on port 22 and go after root. If you do not
have a hardened box, you will see thousands upon thousands of
connections in your logs. Once logged in they will set your system up in
their botnet.

Google: dt_ssh5
This little baby will get placed in /tmp and will be running. Looks to
be a SSH gateway for the attackers for easy access/control.

-Make sure your root password is not a dictionary word.
-Add iptables rules to limit multiple connections on SSH to 4 within a
minute.[1] Perhaps this needs to become a Fedora default.
-Update your system.
-Use SELinux.

Why am I sending this message? Is it SPAM? No. I've seen this hit a
customer and cause an explosion in their network traffic. The backdoor
was installed on Sept. 30th and was not detected until recently. Google
results seem to indicate this past month with higher than normal brute
force activity.

[1]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--set --name DEFAULT --rsource




More information about the users mailing list